The security configuration for the Db2 Data Gate synchronization function fails
An error message indicates the failure of the security configuration for the synchronization function.
Symptoms
An error message similar to the following is displayed on the Cloud Pak for Data web interface:Unable to configure security for synchronization. Unable to test connection. Check your network connection, validate PKCS12 certificate.
Causes
During the configuration of a data source, Db2 Data Gate tests the connection to Db2 for z/OS®, to the web user interface service, and to the Db2 Data Gate server service on Cloud Pak for Data. The connection test can be broken up into the following steps:
- The web user interface service on Cloud Pak for Data connects to Db2 for z/OS by a Java Database Connectivity (JDBC) SSL connection and calls a stored procedure.
-
The Db2 for z/OS stored procedure connects to the Db2 Data Gate server service on Cloud Pak for Data through an encrypted connection. This is a two-step process:
- The stored procedure sends a request to the Stunnel service on Cloud Pak for Data.
- The Stunnel service routes the request to the Db2 Data Gate server service on Cloud Pak for Data.
- The Db2 Data Gate server service sends a response to the stored procedure.
- The stored procedure passes the response to the web user interface service on Cloud Pak for Data.
A failure in any of these steps leads to the failure of the entire connection test. There might be various reasons for this.
Diagnosing the problem
The most likely reasons are listed here. Check each one of them to see if it applies:
- The inbound network connection to z/OS
is not configured correctly. For example, the host name, the port, or the IP address of the Db2 Data Gate instance might be wrong. For more
information about the configuration of inbound network connections, see Configuring inbound access to Db2 for z/OS for Db2 Data Gate.
Also make sure that you run the command F PAGENT,REFRESH to let changes to the configuration of the policy agent take effect.
- The outbound network connection from z/OS is not configured correctly. The PKCS12 certificate might be invalid, or the user might have
insufficient privileges. For more information about the configuration of outbound network
connections, see Encrypting outbound network traffic from Db2 for z/OS to Db2 Data Gate
The PKCS12 certificate is used by the Stunnel service on Cloud Pak for Data. Verify that the Stunnel service is working by running following command on the machine where Cloud Pak for Data is installed:
whereopenssl s_client -connect <hostname>:<port> -msg
- <hostname>
- Is the host name you specified during the creation (provisioning) of the Db2 Data Gate instance.
- <port>
- Is the port number you specified during the creation (provisioning) of the Db2 Data Gate instance.
The expected output of this command is:
TLS 1.2 Handshake [length 00c3], ClientHello ... ... <<< TLS 1.2 Handshake [length 003d], ServerHello ... ... <<< TLS 1.2 Handshake [length 0631], Certificate ... ... <<< TLS 1.2 Handshake [length 014d], ServerKeyExchange ... ... <<< TLS 1.2 Handshake [length 0004], ServerHelloDone ... ... TLS 1.2 Handshake [length 0046], ClientKeyExchange ... ... TLS 1.2 ChangeCipherSpec [length 0001] 01 TLS 1.2 Handshake [length 0010], Finished ... ...
- The route is not configured correctly. To check this:
- Log in to the infrastructure node of Cloud Pak for Data.
- List the existing routes by running the following
command:
oc get route
- Make sure there is only one record for a particular Db2 Data Gate instance. For example:
NAME HOST/PORT PATH SERVICES PORT TERMINATION dg1591202855434 dg.demo.os.ibm.com dg-1591202855434-data-gate-server-svc 11400 passthrough
The NAME contains the ID (that is, 1591202855434 in the above example) of the Db2 Data Gate instance. This ID is also shown in the URL on the web user interface when you open the Db2 Data Gate instance, for example:https://xxxxx/data-gate/#/details/1591202855434
- The iptable firewall of Cloud Pak for Data is not
configured correctly. If the port of the Db2 Data Gate instance is 443 (the default value), you
need not redirect connections over this port.However, if the port of the Db2 Data Gate instance is not 443 (for example, the port might be 44443), check the iptable settings:
- Log in to the infrastructure node of Cloud Pak for Data.
- Display the settings of iptables by running the following
command:
iptables -t nat -L
- Make sure the port (for example 44443) is redirected to port 443. The expected output looks like
this:
Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:44443 redir ports 443 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination
- The setting for IP forwarding is incorrect. If the port of the Db2 Data Gate instance is 443 (the default value), you
need not configure IP forwarding (
net.ipv4.ip_forward
)However, if the port of the Db2 Data Gate instance is not 443 (for example, the port might be 44443), check ifnet.ipv4.ip_forward
is set to1
in the /etc/sysctl.conf file. To this end, display thenet.ipv4.ip_forward
setting in sysctl.conf by running the following command:cat /etc/sysctl.conf | grep net.ipv4.ip_forward
A value of
1
means that IP forwarding is enabled. A value of0
means IP forwarding is disabled.Make sure that
net.ipv4.ip_forward = 1
is set.
Resolving the problem
- If the inbound network connection to z/OS is not configured correctly, correct the configuration by following the steps in Configuring inbound access to Db2 for z/OS for Db2 Data Gate.
- If the outbound network connection from z/OS is not configured correctly, correct the configuration by following the steps in Encrypting outbound network traffic from Db2 for z/OS to Db2 Data Gate.
- If the route is not configured correctly, change the route setting for the Db2 Data Gate instance. The route is set during the creation of the instance (provisioning). So you need to delete the instance and provision a new one.
- If the iptable firewall of the Cloud Pak for Data
cluster is not configured correctly, run the following command:
iptables -t nat -A POSTROUTING -j MASQUERADE
Note that you have to run this command only once for all Db2 Data Gate instances in a Cloud Pak for Data cluster.
To change the port redirection, for example from port 44443 to port 443, run the following command:iptables -t nat -A PREROUTING -p tcp --dport 44443 -j REDIRECT --to-port 443
- If port forwarding is disabled, run the following command to fix
this:
sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/' /etc/sysctl.conf sysctl -p